Hack of Payday Lender ‘Dave’: All 7.5M Users Breached

Hackers breached Dave.com a few weeks ago, leaking the personal information of all of its users. And we’re only finding out about it now.

They called it a fintech unicorn. They said it was worth one billion dollars. They look pretty foolish now, no?

Dave is blaming a “former” service provider. But the fact that a hacker was able to pivot from an analytics platform into Dave’s private database speaks volumes about Dave’s DevOps chops. In today’s SB Blogwatch, we roll another Jackson.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: The Uncanny Valley Is Wrong.


I’m Sorry, Dave

What’s the craic? Catalin Cimpanu reports—“Tech unicorn Dave admits to security breach”:

 Dave said the security breach originated on the network of a former business partner, Waydev, an analytics platform. … The company said it … is in the process of notifying customers.

[I] learned of the security breach on early Saturday morning. … A hacker was offering the Dave app’s user data on RAID, a hacking forum that has built a reputation for being the go-to place for hackers to leak databases.

Going by the name of ShinyHunters, this is the same person/group who also breached and leaked/sold data from many other companies, including Mathway, Tokopedia, Wishbone, and many more. … The data includes a wealth of information, such as real names, phone numbers, emails, birth dates … home addresses [and encrypted] Social Security numbers. … Passwords were also included but were hashed using bcrypt.

I bet there’s more to this story. Lawrence Abrams brings more to the story—“there is a bit more to the story”: [You’re fired—Ed.]

 Dave is a fintech company that allows users to link their bank accounts and receive cash advances … to avoid overdraft fees. Subscribers … can get a payday loan up to $100.

Earlier this month … Cyble told [me] that a threat actor was auctioning the database for Dave on a hacker forum. At the time, Cyble … told Dave about the auction and were told that the issue was being worked on.

The same actor was also auctioning databases for Swvl.com and Dunzo.com. On July 11th, 2020, Dunzo disclosed that they suffered a data breach. On approximately July 14th, 2020, the Dave auction post was deleted from the hacker forum, and Cyble learned that it was sold in a private sale for roughly $16,000. … The leaked Dave database contains 7,516,691 user records and 3,092,396 email addresses.

It is not known why ShinyHunter leaked this database rather than continue to sell it, but now that it is leaked, other threat actors will dehash the passwords and use the accounts in credential stuffing attacks. [So] be sure to change your password at any other sites where you used the same [credentials].

So each user is worth ⅕¢? These are not the faceless PR ’droids you’re looking for—“Security incident at Dave”:

 As the result of a breach at Waydev, one of Dave’s former third party service providers, a malicious party recently gained unauthorized access to certain user data. … Importantly, this did not affect bank account numbers, credit card numbers, records of financial transactions, or unencrypted Social Security numbers.

As soon as Dave became aware of this incident, the company immediately initiated an investigation … and is coordinating with law enforcement, including with the FBI. … Dave is in the process of notifying all customers of this incident along with performing a mandatory reset of all Dave customer passwords.

At least they didn’t say, “Your security is important to us.” Alex Wilhelm brings this quick take:

 Dave leaked customer data. … Dave’s leak looks bad, and will test what happens to more nascent fintech properties when they endure this sort of breach.

Before today, had you heard of Dave? I hadn’t, and neither had Powercntrl:

 Never heard of them, either. Apparently, there’s a market for folks who need a bank, but never go into a local branch to do actual banking type things (such as depositing cash).

This little bullet point on their site has suddenly become hilarious, though:
Security stronger than a bear

If their security is a bear, it must have met its Davy Crockett.

Wait. Pause. What was an analytics company doing with all this PII? jpgoldberg also wants to know:

 I would like to understand why Waydev, the analytics platform, had access to things such as hashed passwords in the first place. I do hope that the people at Dave review that … design choice instead of pinning everything on the third party.

Looks like a pivot. Mathew J. Schwartz clarifies—“Mobile Banking App Breach”:

 Waydev, which is based in San Francisco, first warned on July 2 that its service may have been breached. “We learned from one of our trial environment users about an unauthorized use of their GitHub OAuth token,” Waydev says.

Waydev says its investigation into the breach found that from June 10 to July 3, “attackers performed multiple attacks over an AJAX call, performed exploratory activities [and] launched automated scanners,” and also that they may have “cloned repositories from the users who connected via GitHub OAuth.”

It appears that the full impact of the breach at Waydev is still coming to light. For example, cloud-based load testing platform Tricentis Flood … notified customers that on June 25 it had suffered a data breach on June 20, which its automated systems detected the same day.

Have you been pwned? Troy Hunt knows:

  @waydevco was also the root cause of the Dave breach that went into @haveibeenpwned earlier today.

Always find it odd when companies provide an API deliberately designed to enumerate email addresses. … It’s literally an API designed to invade the privacy of customers. Just ridiculous.

But hey, it sure helps make verifying breaches easier!

Meanwhile, R3d M3rcury tees it up, for backslashdot to smash down the fairway:

 And where was Dave when all of this happened?

Removing HAL’s memory banks.

And Finally:

“A nonsensical model invented by inept roboticists trying to understand their failed attempts to build believable sex robots.”

Trigger warnings: Sex robots; freaky faces; occasional swears.

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Nikolay Frolochkin (via Pixabay)

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now ... Read More
Security Boulevard

Richi Jennings

Richi is a foolish independent industry analyst, editor, writer, and fan of the Oxford comma. He’s previously written or edited for Computerworld, Petri, Microsoft, HP, Cyren, Webroot, Micro Focus, Osterman Research, Ferris Research, NetApp on Forbes and CIO.com. His work has won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 203 posts and counting.See all posts by richi